We help organisations navigate complicated data protection law and policy, especially in the health and social care sectors, where it is recognised that there is particularly complexity. Our projects routinely include:
- Engaging with the Independent Group Advising on the Release of Data (IGARD), formerly Data Access Advisory Group (DAAG) to access data held by NHS Digital (formerly Health and Social Care Information Centre).
- Completing Section 251 applications (NHS Act 2006) for research and non-research applications for the Health Research Authority (HRA) hosted Confidentiality Advisory Group (CAG).
- Governance, policy, protocol and procedure to satisfy the Care Quality Commission (CQC) and National Institute for Health and Care Excellence (NICE) standards where these relate to recording and processing personal data.
- Conforming with NHS England Standard Contract conditions for information governance in General Conditions clause 21, including:
o CyberAssure and Data Security and Protection Toolkit (DSPT)
o Health and Social Care Network connectivity (formerly N3)
o Information Governance Statement of Compliance (IGSoC)
o Access to NHSmail
o NHS Constitutional commitments
o NHS Care Record Guarantee
o Caldicott Guardian Principles
As well as externally imposed regulatory regimes, we work with clients to develop internal integrated governance approaches that maintain efficient and effective management control of information risk.
Our hands-on and practical approach includes:
- Audit of the requisite regime to provide management assurance of compliance
- Data Flow Mapping using our in-house developed tools
- Information Asset identification and registration – generally to ISO 27005 Information Risk Management
- Populating information risk registers
- Investigating incidents and breaches
We are increasingly shifting our focus to preparedness and compliance with the Data Protection Act 2018, incorporating the General Data Protection Regulation (GDPR). We have mapped this to IGT to enable organisations that must complete IGT to meet contractual obligations, but have limited resources, to must meet both DPA 2018/GDPR and IGT requirements once.